Bitcoin Forum

Security analysis of PoW/PoS hybrids with low PoW reward

Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.

A pair of examples:
Mintcoin scrypt diff 0.1 (vs Litecoin 5677)
SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)

At such difficulty PoW blocks can be mined with speed of light.

Attack I

It is possible to build sequential chain of PoW blocks to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.

Is it hard to orphan the chain of PoW blocks?
One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.
If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.
This dramatically increases chance to success in comparison to pure PoW attack.

Ability to confirm a transaction and then orphan confirmations is ability to double spend.

Summary: double spend attack requires 1 PoS block and low hashing power.

Visualization: https://i.imgur.com/Pyrw75q.png

Attack II

Current implementation of stake miner gives up if median time of last blocks is in future.
This temporarily makes the whole network PoW-only and opens well known 51% PoW attack.

Attacker needs only 6 of 11 last blocks.

Successfully tested on Mintcoin: no PoS blocks from 203231 up to 203441, more than 1 hour of real time.

Where is Sunny King?  I will take this as nothing more than FUD until the godfather weighs in.

Can anyone test or confirm?

I was wondering if there have been any successful PoS attacks yet. PoS is new to me.

Very true. POW is necessary for these coins to secure the network...and when minted coins are low (with little value), miners have an incentive to mine a different coin and sell it for their coin of choice. Few miners = low network hash = poorly protected public ledger. And, after all, we are investing in systems that maintain the public ledger in different ways.

I'm all in on cryptos, but the network strength of bitcoin is what gives it value right now over the cryptos.

Not really a big deal, if it is an issue just fork it to not accept any more POW blocks.

PoW/PoS hybrids are supposed to be immune to attack. (at least CGB is/claims to be)
CryptogenicBullion has a good explanation on their site.

attack one and see what happens

POW has been proved

POW POS Hybrid have been proved, Sunny made a really nice software

POS only have never been proved,  have less programers dedicated to.

Thats the true.

This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?

You say "a sequential chain of PoW blocks can be mined in a flash."
Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks. In a PoS/PoW hybrid there is no way to predict or control whether or not the next block will be PoS or PoW and therefore you cannot guarantee you will be in control of a long stream of blocks unless you have 51% of the PoW and PoS power.

Now, this brings up an issue with pure PoS coins such as your Blackcoin... That I have yet to be seen answered in any technical detail. How, when it is pure PoS and it IS known that every block in a row will be PoS, can you prevent an attack such as the one anonymousg64 brings up:


Without PoW blocks to interrupt such an attack, how is it prevented?

This thread of yours is in really bad taste, rat4, you should find better ways of promoting your coin.

I await your reply, and your explanation as to how PoS coins are safe from a TX/coinage attack.

pretty obvious that a hybrid POW/POS is more secure than a pure POS ...

to make an attack you have to control hash and coin age in a POW/POS hyrbid, while a pure POS coin like blackcoin
only need to control coin age ... thus inferior

so what happen here with blackcoin:
http://www.blackcoin.co/wallet-2/official-statement-regarding-blockchain-problems-23rd-of-march/
https://i.imgur.com/o9PbvcH.png

I'll trust this for now
https://bitcointalk.org/index.php?topic=551861.msg6010168#msg6010168

Yes, this is purely a discussion for us. The connection to BlackCoin is purely rat4 being the dev of it.

The earlier blockchain stuck we had for BlackCoin has nothing to do with this and is not adding to the discussion so far. We are talking hybrid PoW/PoS coins and their security.

Well, now we are also talking pure PoS coins and their security- which is much less tested and founded. I still await a technical response as to how pure PoS prevents the type of transaction/coinage attacks that anonymousg64 has outlined before.

I have asked many times on the blackcoin thread, and so have others, as to how pure PoS is safe. No reply, other than directing me to Sunny's answers, which actually only pertain to PoS/PoW hybrids if I am not mistaken.

The Blackcoin DEV dont wanna answer..

He throws the rock and hides the hand.

maybe hes AFK?

He started the Thread minutes ago!!!!!!!

Or he is sleeping.

This is not an attack on either Mint or Shacoin, this is purely an observation on hybrid pow/pos systems. If you want to discuss PoS security i do invite you to join IRC ##blackcoin on freenode and seek out rat4 there when he is awake.

Also, i'm not the dev of blackcoin

Yeah, as a professional he has more important business than engaging in this peeing contest. Make what you will of his analysis, do your own due diligence and try to come to rational conclusions based on what you learn rather than your emotional ties to this or that coin.

You guys are to be called out for the blatant and utter hypocrisy of Fudding the Blackcoin thread for days with inflammatory dirt, and then having hissy-fits when the Blackcoin dev weighs in with a technical statement, and you crying "fud, fud!"

Shame on you all for your childishness and abysmal conduct, which only hinders the progress of cryptocurrency. Examine your motivations more thoroughly.

check time stamp again..it was a 5 hours ago

He has more important business to do? Yet he starts this thread? And then walks away? It was important enough for him to start the thread but not important enough for him to reply to responses? Still, nobody has addressed what I brought up and nobody has addressed the "time bomb" that greentea brought up. Now you are just trying to defame us on a personal level instead of addressing the content of what we said.

Examine the motivations of your dev more thoroughly.

Agreed. I will wait patiently for a technical response to what I said about the relative security of PoS/PoW vs pure PoS, and to the "timebomb".

I won't delete my initial post as it contains content which I want addressed, but I do regret having been so offensive in the manner of its presentation. Nonetheless, it is the content that matters.

All parties agreed then, myself included, if the discussion can be maintained as a discussion and not a repeat of yesterday.

This was answered many times in the black coin thread and here you are asking it again.  

https://bitcointalk.org/index.php?topic=469640.msg5971244#msg5971244 (https://bitcointalk.org/index.php?topic=469640.msg5971244#msg5971244)

Oh look at YOUR REPLY
https://bitcointalk.org/index.php?topic=469640.msg5971375#msg5971375 (https://bitcointalk.org/index.php?topic=469640.msg5971375#msg5971375)


So why are you here bringing it up again today in a new thread?

Because the answers that you speak of are just links to a comment from Sunny King, which actually only applies to PoS/PoW hybrids- as that is what he was working with. Am I mistaken? I still await a technical response that pertains to pure PoS specifically.

If i said said anything further about it on the blackcoin thread, I would have been ran out of there and labeled as a FUDer.

I will patiently await a technical response which pertains specifically to pure PoS and a technical response to my initial comment which also outlines why I think PoS/PoW hybrid systems are not vulnerable in the manner that rat4 proposes.

That is YOUR reply I quoted.

You must have read the answer at one point, because YOU commented that your question was answered, but I will summarize it again here just to be perfectly clear.

• Blackcoin use POS 0.3.0 protocol which has no known vulnerabilities at this time
• The "attack" suggested is impossible because coins do not stake on age alone, therefore making deposits at small intervals in no way guarantees you will generate POS blocks at those intervals.  In fact splitting coins to generate these intervals will make the chance of staking at each interval even less

Right, it uses "POS 0.3.0 protocol which has no known vulnerabilities at this time" in the context of a PoS/PoW hybrid, right? It has never been tested in the context of pure PoS, right? Was it designed for pure PoS? Wasn't it designed by Sunny King for a PoS/PoW hybrid (peercoin)?

The second point you reiterated seems legit to me.

I will restate: If i said said anything further about it on the blackcoin thread, I would have been ran out of there and labeled as a FUDer.
Similar to how what I am saying now, not on the blackcoin thread, is drawing so much heat.

I'm not giving you heat, i'm only answering your question.. again.

Saying Sunny King's fix only applies to POS/POW hybrids is incorrect, it fixed the POS protocol. Period. 

The timebomb attack is not feasible because coins do not stake on age alone, there are other factors.   Even if you could guarantee that all your coins ages were spaced at a minimum interval there is no guarantee they will all stake at their intervals. Also POS blocks have a target time interval, so coins that were eligible to stake too soon would not generate blocks any faster than the target interval, there is no way that one person could force their coins to be the ones to generate stake for many consecutive intervals.  This attack is pure nonsense.  

But Sunny King fixed PoS in the context of PoS/PoW hybrid, not pure PoS. Right?

Since there have not been any other pure POS coins yes the fix was originally applied to a POS/POW hybrid.  Nevertheless the fix is for the POS protocol and did nothing to POW. The fix ensured that POS was a secure way to generate blocks to secure a blockchain.  If you know of any vulnerabilities in POS please make them known so they can be addressed.

I don't know the specific vulnerabilities, I'm not saying that there necessarily are any. My argument is purely from a logic standpoint. If the security of PoS was in any way dependent upon PoW in the PoS/PoW hybrid system, then just because the PoS security flaws were fixed in that context doesn't mean they will be fixed when PoS is standing alone, or that new security flaws wouldn't be introduced when PoS stands alone. So the question is, did Sunny build/fix PoS to be completely secure standing alone or was it in anyway dependent on PoW? I guess this is ultimately what I am trying to figure out.

POS and POW are completely separate and different systems.  They do not depend on each other at all.  They work separately and can compliment each other as 2 different methods to secure a block chain or they can each stand alone. 

Sunny built them to be dependent on each other. POW is a proven system. POW/POS is a proven system. POS is not and may be vulnerable to attack.

OP's point is that a POW/POS system with very small rewards creates a weak POW system that someone could exploit and it would essentially be the same as a standalone POS system which may be vulnerable.

You clearly did not understand the OP. That is not the OP's point at all.  The OP's point is that POW/POS hybrid is vulnerable to a double spend attack by a POS block negating/orphaing a POW chain with enough blocks to have confirmed transactions.

I expect you have never looked at the source code of a POW/POW hybrid, because it it very clear POS and POW are not dependent on each other in any way.  They are completely separate methods.  It is true that POS only has never been tried before, but the POS system is secure in itself and has no known vulnerabilities.   POW is a proven system with a known vulnerability called 51% attack which is why POS was added.  POS/POW may be vulnerable by the method explained in the OP.   POS alone, again has no known vulnerabilities besides a 51% attack which would require owning 51% of the coins which would mean you already basically control the money supply and would devalue your own coins.

Isn't it true that most PoW/PoS hybrids have the same target block generation speed for both systems?  So why would there be many PoW blocks in a row unless it happens by random chance?

Some of yall are crazy.

He just had to hard fork his coin. Do you think he did this to blow smoke out his ass? hahaha

If the difficulty is very low due to low network hash rate then applying a substantially higher hashrate can cause many POW blocks to be generated quickly, much quicker than the target rate.

Today theres nothing more secure and proven that POS/POW Hybrid

To attack you need 1/2 os POS and 1/2 POW

Add cost to the attact.

looking at your posts and the OP
"double spend attack requires 1 PoS block and low hashing power."

So wouldn't this method of attack require that you control/know precisely when you are going to receive a PoS block, so that you can orphan your transactions that you confirmed on the PoW chain you control (otherwise somebody else will have a greater chance of getting the next PoS block, unless you control 51%)?
You made it sound earlier like it is not possible to control when a PoS block will be generated:
"The "attack" suggested is impossible because coins do not stake on age alone, therefore making deposits at small intervals in no way guarantees you will generate POS blocks at those intervals.  In fact splitting coins to generate these intervals will make the chance of staking at each interval even less"
So, are there ways to control/know the timing of PoS block generation even though coinage is not the sole determining factor?
If so, wouldn't that mean pure PoS is vulnerable too?

I have still not seen any good proofs around Sunny's PoS methods.

Someone pointed out a gaping hole once upon a time, he claimed to fix it but refused to explain, and since then everyone seems to have run along in blissful ignorance blindly spawning clones of the mysterious unexplained but according to its author fixed system.

Which might even by why no one has bothered to actually implement either of the methods of PoS that discussions in the development and technical section had eventually managed to come up with that seemed as if they might actually be able to work.

(Sunny was proud not to have even read any of the research, claiming he simply came up with an idea out of the blue himself and flew with it. Then on having it pointed out that it was utterly broken/flawed/vulnerable, claimed to have come up with a fix out of the blue himself, that he refused to explain.)

-MarkM-

I would say this to OP
People who live in glass houses shouldn't throw stones.

There's only one way to find out and that is to pick a target, attack, and see what happens.

Attacker should wait for 1 PoS block and delay announcing this block.

Maybe dev should build test coin and use 51% premine for attack to see what happens that way no damage to existing coins

It would not be the same as a standalone PoS system; rather, what it is is a PoS system plus a pathetically weak work PoW system which completely sidesteps aka does an end run around the PoS, so that the PoW attacker can attack without the PoS system getting in the way of the attack. Basically the PoS part is almost irrelevant given that the PoW attacker can do their attack and run with the loot before PoS even notices or acts?

Possibly the PoS might even lock into place the success of the attack, by building on a chain that already has the attack in place as having happened, over and done with, fait accompli ?

-MarkM-

thats pure speculation

Also though by the sound of it they can separately and independently conduct their attacks?

If so then maybe for example a PoW attack can be accomplished and over and done with then a PoS block or series of blocks come along taking the success of the attack as valid accomplished fact and building upon it?

And maybe vice-versa also?

So that although they are two independent separate means of securing a chain they are also two separate and independent vulnerabilities whereby attacks can be performed?

-MarkM-

So, in that case, what is preventing an attacker from waiting for multiple PoS blocks and delaying announcing the multiple PoS blocks to form a string of PoS blocks similar to a TX attack chain like the one anonymousg64 was talking about? If it is not possible to wait/delay more than one block per wallet, then one could easy use multiple wallets. If the timing of generating/announcing a single PoS block can be controlled, what is preventing reiteration of the process to control a series of single blocks?
Also, what would prevent another block from being announced at that same time or right before you? Say you control when you can announce your PoS block, but does that mean you can control when other people generate/announce theirs?

Well unless there is some kind of actual effort to collect objective facts about the matter it's not worth paying any attention to a lot of talk.

Until there is that's pure FUD

Ya markm knows what hes talking about.. But rather then talk gibberish its better to simply try a demo coin like last poster said.. run fast hash on non mined pow with low rewards and see if you cam break it before pos catches on... Would be cool to know once and for all.. maybe a curious dev can do this to put an end to all the shitcoins with pos claiming its the greatest thing when sunny king hasnt even explained himself yet regarding his fix...

Nothing prevents. Chance to find even 2 blocks in a row is low.
Long chain of PoS blocks is realistically only for exchanges with old coins in cold wallet.

I'm sure he does. But he has stated his thinking and now it is time to test it. If not, well...

At this point we all need concrete facts.

PoS block is a stochastic process.  You say this like it's a given that it can be done...it's not.

But like you said "Attacker should wait for 1 PoS block and delay announcing this block." Why couldn't this process be simply reiterated to form a string? You wouldn't need to "find" >2 blocks in a row, you would just need to announce them in a row. Or am I missing something?

My edit of what I said above, must have been editing while you responded:
"So, in that case, what is preventing an attacker from waiting for multiple PoS blocks and delaying announcing the multiple PoS blocks to form a string of PoS blocks similar to a TX attack chain like the one anonymousg64 was talking about? If it is not possible to wait/delay more than one block per wallet, then one could easy use multiple wallets. If the timing of generating/announcing a single PoS block can be controlled, what is preventing reiteration of the process to control a series of single blocks?
Also, what would prevent another block from being announced at that same time or right before you? Say you control when you can announce your PoS block, but does that mean you can control when other people generate/announce theirs?"

Similar to mercSuey's point that PoS is a stochastic process,

What would prevent another block from being announced at that same time or right before you? Assuming you can control when you can announce your PoS block, does that mean you can control when other people generate/announce theirs?

Colossuscoin is 100% Proof of Stake through Pow/Pos. It it the oldest Proof of stake only coin and I started working with it about 4 months ago, right after it finished Pow and became POS only.

Attacker should build a chain longer than main. The more he waits the less chance to success.


Yes, this attack has not 100% chance to success. The point is that average block time is known.
One honest PoS block will not stop attack. Two will.

Going back to the OP,
"At such difficulty a sequential chain of PoW blocks can be mined in a flash."

And what artiface said,
"If the difficulty is very low due to low network hash rate then applying a substantially higher hashrate can cause many POW blocks to be generated quickly, much quicker than the target rate."

How exactly is this possible, particularly with difficulty re-targeting every block? Also, it is my understanding that not only would the difficulty of finding a PoW block go up, but the difficulty of finding a PoS would go down in response as well.


Additionally, no matter how fast you can manage to generate a string of PoW blocks there is no way to know with certainty that a PoS block wont be randomly generated within that time and interrupt the string? The best you could do is estimate based on the average block time, right? But this would be further complicated since the chance of finding a PoS block is increased by PoW blocks being found.

You dont need 51% of the coins, you need 51% of the coin age
So, with a pure pos coin that has no upper limit for coin age it might be enough to own 10% of the coins and let them age long enough......

Blocks may have timestamp different from real time. This allows keeping low difficulty. Time window is limited but enough for this attack.


No.


Again, one PoS block will not stop attack. Two will.

What do you want to know about a POW/POS coin after its fully Proof of Stake?  How wallets interact? Pitfalls? Colossuscoin is the longest running POS only coin from POW 4 months ago. I'm looking to create a Proof of Stake only,  fee sharing system, Do any of you understand how multi-signiture transactions could work on the blockchain?

Also, could it be possible to have fees from transactions go to a particular address built into the blockchain where fees get distributed 75% to a central fund,  and 25% to an address that gets mined with your POS coins. POS mining is 7-15 days Max weight and POS interest is 15-30 days Max weight. I was also thinking that you could reduce blockchain size by having a large float but lower minimum such as 500,000,000,000.01  How would that affect size at a faster block time?

What would you recommend in terms of POS only for security, could TX fees be added to POS generation? If you used POW, could it be an added function for security and pays out based on POS? If you had fees being split and some that go into a central fund, it would mean that one address would have a full record of the blockchain, could that be loaded on a central server?

But the fact is that all POW/POW+POS/POS coins have the possiblities to get attacked.
Blackcoin has its problem just a week ago.

Yeah and does anybody else find it interesting how timing of the "timebomb attack" described here:
http://www.blackcoin.co/wallet-2/official-statement-regarding-blockchain-problems-23rd-of-march/

"To solve the issue, by making a check for such cases and making sure the right value is always returned we had to hard fork the BlackCoin blockchain at block 38424."

Corresponds to the problems that occurred at cryptorush:


???

I had suspected as much as well. But apparently the BC devteam was on the ball and it was really just a blip. I have been observing BC as well as other coins along the course of those events across several different threads such "operation shitcoin" the BTCX attack progress thread, the BC thread +more and pretty much got to watch the whole thing transpire from that vantage point.

Very interesting and dramatic forum experience btw lol. I've been participating in internet forums for over 10 years and Bitcointalk is among the best, that's for sure.

I guess it's the money that's at stake that makes it so piquant  :D

This I don't understand because of my own ignorance, like most of the things I don't understand, how is it possible that you only need to control one PoS block to orphan your PoW chain and carry out this attack but there would need to be two legitimate PoS blocks to stop the attack from occurring?


So this is attack is dependent upon an unknown? Is there a way to confirm one way or another?


Can you be a little more detailed? I have been told in the past that the two difficulties adjust to one another.

CryptoRush's problems with BlackCoin were due to their usage of the getbalance accounts function, which no other exchange out there uses for good reason:
https://en.bitcoin.it/wiki/Accounts_explained#Account_Weaknesses

In fact, the fork itself has nothing to do with the losses that CryptoRush had due to the usage of the accounts feature. If CryptoRush had checked the new version of BlackCoin before implementing it in their live exchange there would've been no losses since they would have found the issue with the accounts feature immediatly and asked us to fix it.  

But again we are discussing BlackCoin vs Mintcoin while we are talking security vunerabilities of PoW/PoS hybrid based systems.

Thanks for clarifying. I made no mention of Mintcoin vs Blackcoin. Just talking security, of both PoW/PoS hybrid systems and pure PoS.

This seems weird to me. The blackcoin gets hacked and killed cryptorush and now it blames the algorithm. Is MINT hacked? If it is so easy as one PoS block why not try to hack MINT and prove your "theory"? You'll quickly find your "theory" is flawed.

Time for real facts, not speculation.

Try reading this...

https://bitcointalk.org/index.php?topic=529779.0 (https://bitcointalk.org/index.php?topic=529779.0)

Maybe then you will realise cryptorush committed suicide.

From what I read and understand, I suspect that forks are coming soon on POS/POW and POS only coins. But, this is perfectly fine.

We are talking about software, it can not be flawless. My personal experience, working for more than 15 years on a sw giant that controls more than 50% of the global market in a mainstream technology, proves it. There are hundreds of people here, working only on sw fault fixing, by patching the code all the time and deliver these patches to the customers around the globe.

So, please take it easy and relax. The possible faults will be discovered and fixed.

And have something else in mind: The real developers respect and support each other and they do not do "dogfights" as the coins investors/zealots/holders (you name it) do. And from what I saw so far, at least BC and MINT both have real developers.

SAP?

Agreed. These things need to be discussed. A lot of good can come out of it. Although, perhaps this would be better discussed not on a public thread such as this, where if any true and effective attack mechanism were described it would then be readily available for people to recognize and exploit. I think that, if somebody actually had good intentions for pointing out what they theorize as and believe is a possible security hole then they should have contacted the devs of the vulnerable coins directly and not stated the possible exploit on a public thread (IMHO; I also expressed this opinion to anonymousg64 when he started talking about the theoretical TX bug). FYI I have contacted both the mintcoin dev and the eccoin dev and neither of them are concerned about this "security issue"... whether that means it is not an issue at or, or that it is one that can be easily solved I am not entirely sure (they both made it sound like it was likely the former, though).

First post has been updated with second attack, actually tested on Mintcoin.

I wouldn't be afraid of operation shitcoin too much, they are more concerned community members than destructive hackers. I much prefer their "I don't give a fuck" attitude than people too afraid what others think but I guess I just like the renegade style.

rat4 i am impressed.

To be honest i am not programmer but i see that you know what you are are doing.
I have checked those blocks and i can confirm that your test attack is successful.

just use:
mintcoin-explorer.info
"no PoS blocks from 203231 up to 203441, more than 1 hour of real time"
and check those POW only blocks.
And it looks like that is no longer true, for now:


And Mintcoin is open for double spend attack according to Wiki...
https://en.bitcoin.it/wiki/Double-spending

I think you should apologize now rat4, thank him and pay him BIG bounty for helping Mintcoin and others for founding bugs...
And even bigger bounty for solving issue...

PS:He just mined 1h in POW Mintcoin you want more evidence... ? Do you want double spend ?

serious props to rat4. better to find out now then have it escalate.

Wow great job rat4 on finding this... while others tried to turn a blind eye to the subject to protect the image of their dear coin, you pointed out the flaws so that they could hopefully fix them.

Great dev!!

Hear hear! This is a true act of community-service, a contribution of enormous value to the evolution of safe and legitimate cryptocurrency. It speaks for itself, from far above the maddening crowd, and partisan mudslinging based on ignorance and greed.

I expect some apologies from people in here calling fud when he was trying to help other coins..

Told OP it was a bad idea, was ignored by OP in the Blackcoin thread. If you don't understand the code you're modifying, don't muck with it.

https://bitcointalk.org/index.php?topic=509928.msg5651789#msg5651789
https://bitcointalk.org/index.php?topic=469640.msg5651892#msg5651892

There is another issue with using stake modifiers derived only from PoS blocks as well.

looks like the fud is still happening, I wouldn't hold your breath

This should NOT have been publicly exposed. If rat4 was truly a good guy he would have communicated this privately with the mintcointeam so that they could work on a fix before all was revealed. Not cool.

These attacks are not applicable to BlackCoin. Guess why.

That was done. This was posted 18 hours after notifying the mintcoin dev's.

That is what someone who is honest would have done, but he went and got a bunch of people from the BC thread to come to this thread and the mintcoin thread to spread FUD

We don't know even if there was actually a successful attack or not yet, that hasn't been confirmed. I certainly didn't notice any attack.

My guess is that you modified the trust weighting for PoS blocks (to lessen weighting for any individual block based on coinage) or that you manipulated timestamping variability (https://github.com/rat4/blackcoin/commit/06e30838eae9a33d9d40d4e2bc6076141a719c47), neither of which are great solutions in the distributed system you're playing with.

It looks like you tried to fix the stake modifier with a hardfork and then broke it in the process, too:
https://github.com/rat4/blackcoin/commit/47d2eec662b738b39cdb45f3ef6f72a13b929268#diff-25d902c24283ab8cfbac54dfa101ad31
https://github.com/rat4/blackcoin/commit/9dea231970c5c73dd6b7e3d0d20210233574a179#diff-25d902c24283ab8cfbac54dfa101ad31

Others vulnerabilities exist and you still refuse to address them (the "nothing at stake" fork, stake modifier manipulation).

Perhaps now is the time for additional helpful security testing of blackcoin?

We welcome you to, really.

We are talking about systems that keeps track of people's money. People invest in coins with their hard earned money or do it via mining with their expensive equipment. If the coin's system is at risk this is a risk for everyone involved.

If you are successfull, have the same decency as us and report it to the devs. We did for MintCoin and you do not want to read their response. That is the sole reason it has been posted here. We too have money invested in other crypto's and would like them to be as secure as possible, that's why we checkout other coins security and report security risks immediatly.

You mean same decency and also helpfully inform all mintholders to go to BC thread and spread FUD?

No, I won't be doing that.

Sry mgburks77 but Soepkip just answered because some people accuse BC developers Soepkip is one of them...
He is not just random hater, flamer or FUDer...I just believe him he proved his trustworthy and transparency so far.

Zero difficulty PoW is open door and cannot be trusted. One of possible fixes is to disable PoW.

he's one of the one's so helpfully spreading FUD

so no, that is not the type of attention he is attracting


Thank you. I wondered if that was a possibility or not.

Or you can have PoW with a reasonable subsidy and use it to secure the network, but then you just have PeerCoin.  Unsurprisingly, Peercoin works because of this and not in spite of this.  Now you've simply opened yourself to all the catastrophic bugs in PeerCoin's PoS system that you refuse to acknowledge.

There are easy applied fixes for hybrid PoW/PoS with low subsidy that involve adjusting the trust of the timestamping of PoW blocks and content of PoW blocks in general -- but again, there are the same PoS bugs which already exist in PeerCoin, which are non-trivial.

ok
https://github.com/ethereum/wiki/wiki/Problems (See 5. Create an incentive-compatible proof-of-stake currency) and also here: http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/

https://bitcointalk.org/index.php?topic=131940.0 (addressed by the creation of kernel.h and kernel.cpp which compute the stake modifier, which has its own problems)

So basically the claim is that because of this vulnerability it is possible to complete a 51% attack.

Is that or is that not also a possibility with pure PoS coins?

I'm not seeing how the security status of blackcoin is any different than the security status of mintcoin, as both are supposedly vulnerable to this attack. Which from what i gather is quite expensive to launch successfully and therefore highly unlikely in the first place.

Thanks a lot, this is very interesting. To problem #1: What exactly is meant with consensus failure and how does it affect network security? So if I have a faked time stamp that is t seconds in the future, how much less coins do I need to perform a 51% attack?

Okay, for your understanding:

1) All coins ever created are suspectable to 51% attacks.
2) Mintcoin is PoW/PoS hybrid
3) We have succesfully tested a hypothesis that prevents PoS blocks from being accepted. - This means that MintCoin was PoW-only for one full hour.
4) Due to the low rewards on the Mintcoin PoW chain the hashrate is low. This means that during that time that MintCoin is PoW-only it is very easy to perform a 51% attack.

What if everyone else IS NOT mining both?

This is the means to generating hashes for PoS for PPC (paraphrased a little):

You can game this in a bunch of ways.  If you're building your own chain of blocks, you can manipulate the timestamp; BlackCoin uses 10 minute intervals, so there's another 600 chances right there (+ 10 min).  If you want to build lots of blocks, you need coinstake distributed in lots of places (nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n).

Now you can bruteforce a chain of length whatever privately so long as you have a bunch of coinstake at different addresses, and then doublespend using that.  Unless everyone is trying to do this, you don't need 51% stake to do this -- just the hoarding of a bunch of stake and some bruteforcing at an exacting time and you can doublespend.  This is why PoS in PPC and friends defaults to PoW; you're just manipulating a bunch of different factors in search of golden "nonces" (manipulations of non-nonce parameters) in a chain of blocks instead of simply increasing the nonce.

Using PoW blocks to make stake modifiers can also help prevent you from being able to game this a bit from the "if (!GetKernelStakeModifier(blockFrom.GetHash(), nStakeModifier, nStakeModifierHeight, nStakeModifierTime, fPrintProofOfStake)) return false;" portion, but I don't think it completely eliminates the risk.

Sunny King at some point mentioned changing confirmation rules from number of blocks that have passed to the amount of coinage that has been included in blocks since a transaction has taken place ("trust score").  But this still doesn't solve the "nothing at stake" forking problem, and you can still likely doublespend in that case with <51% stake.

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

OK, but can they doublespend if some miners are already only doing PoW only mining for a hybrid PoS coin?

No, so long as the PoW difficulty is high enough to actually secure the network.  This requires subsidy (block reward) to be high enough to justify lots of people mining the chain.  Hence why PeerCoin works.

They both are vulnerable.  PeerCoin is what is (sort of) functional.

The big problem is simply that none of the scamcoin devs care, because if one scam fails it is so easy to simply launch another.

So bullshitting and bluffing and yelling "FUD!" and so on ensues until someone actually does trash the value of the scam's coins enough to make pasting another announce of another launch seem more worthwhile than posting claims of FUD.

Sunny is simply the first of many such scam "devs", notice he never did even bother to try to justify in what way his fix was a fix, he just went like oh yeah ok its true my idea was utterly broken butv thats okay I fixed it now. With nothing explaining how exactly the supposedly fix actualyl fixed anything.

Also tore a leaf from the solidcoin book, putting in a centralised privileged node.

It is more centralised that solidcoin as it uses just one privileged node it seems at least realsolid had a token decentralisation in the form of having more than one privileged node. But nonetheless solidcoin was laughed out of town so to speak, but nowadays the pronzi-players want a constant stream of new scams to get in on the bottom of and promote, so don't care anymore that all the coins coming out are scams because they are themselves scammers looking for scams to promote to scam money out of people so all these scams are just fine for their purposes.

Except for all the facts, which they decry as "FUD", because they think that if the people they are promoting the scams to knew for a fact they were scams less suckers might fall for them. Knowing it is a scam causes people to fear being a victim of the scam, be uncertain whether they can profit from the scam fast enough instead of being one of the victims, and doubt whether they can suck in enough new victims to ensure their own profit. Hence, "FUD".

-MarkM-

Well, I guess there needs to be an actual attack to prove it.

Until then it's FUD

There was an actual attack, the proof if it is in the blockchain. Watch from 203198 and up. Look at the timestamps. Look at the type of blocks.
We have no reason to break mintcoin's chain. We have merely proofed it takes about 5 minutes to turn mintcoin into PoW only for 1 hour+.

See, they don't even care if it is attacked, in fact they urge an attack, insist jupon an attack as the only way they will even admit that they are running a scam.

They don't care if it gets attacked because they can clone hundreds more identical scams with different names and images and other similar minor details changed and claim oh this one is different, until someone actually pulls off an attack this one is not a scam...

Oops missed prior post.

I guess they also don't care if there is an attack because they will just claim that the attack does not matter, so what we are a scam uh I mean were demonstrably successfully attacked, we are making money, suckers are falling for the scam, so fooey on you you FUDster, suckers are gonna get suckered no matter what you do, so hahaha I win.

-MarkM-

An attack has been demonstrated against Mintcoin that disabled pos mining and only allowed pow mining, leaving it wide open to a 51% attack. The first stage of this was demonstrated. The second stage only wasn't executed out of manners (51% attacking a coin with 0.1 difficulty is easy).

No such attack has been demonstrated against Blackcoin. In fact the above attack by definition isn't possible since there isn't any pow mining.

What the hell are you talking about?

You have to prove you can double spend or it's FUD and that's all there is to that.

Why should anyone take the claims of sock puppet accounts seriously?

You guys seem pretty knowledgeable about this stuff for a bunch of newbies lol

i agree. well done.

+1

um the original post by the blackcoin developer lists the blocks which were successfully attacked. Those blocks were forced to proof of work only and proof of work only blocks have close to 0 difficulty. Only thing which protects from a 51% attack is high difficulty.

I would be shitting my pants if I held mintcoin right now hence why the price is crashing

ha ha the price is exactly the same as it was when this thread was posted

I have some mintcoin and I say do the double spend attack, if you can. I want to see if I am going to put more money into this or not.

I already said I regretted how I originally addressed rat4, it was rude, why not include that? Not to mention this is an entirely different problem, so everything I said up until now was concerning "attack 1". Thank you for finding the bug, rat4. But, as far as I can see he has not provided a fix for the issue. He has publicly displayed a security flaw thereby allowing anybody to now take advantage of it, and allowing the entire BC community to use this to defame Mint thread and others. So I still doubt his motives were in the right place, I won't be thanking him for that.

Maybe ask the MINT devs to fix this? :)

Hi Tacotime, thanks for the information! I notice you have an ad in your signature that describes a PoS/PoW hybrid.

Have you been able to resolve the issue with that coin?

It's a very different system; basically PoS miners vote on every PoW block to verify the contents, and PoW blocks are validated one block at a time.  PoS miners are given complete control over the contents of PoW blocks and whether or not the PoW miner gets rewards.

This is a *really* experimental incentives system and it might do crazy things yet.  The Bitcoin core devs I've talked to are wary of it doing things I haven't predicted.  Additionally, it relies heavily on PoW (which I think is a good and reasonably fair distribution system).  But it does not have the "nothing at stake" forking issue.

It's more comparable to a blockchain with "two factor authentication" for every PoW block, to ensure that miners aren't putting weird transactions into the network or are simply not including transactions.

I've been a MINT investor from the start. go most on my MINT at 8

today i told them I sold half my stake and keeping it BTC. first thing i thought was just stick it in blackcoin.

but from what ive seen fromthe exchanges market has become the last 2 months i'm just sticking with BTC.


i wished they was a bigger response from MINT people.



people know i never bash MINT, but we have to address issues like this.

Is there a projected release date or is it totally experimental? 

Hopefully testnet within 2-5 months or so, then mainchain launch after the testnet seems stable.

Interesting. Thanks for the info!!! 8)

Sheesh. Wish I saw this thread when it was first posted. For someone running around MINT & BC thread, I'm still missing info.  :-\

Thank you for your help Blackcoin community, you know which people you are (rat4, Soepkip, etc). Perhaps now we can put our differences aside and work together or at the very least coexists as pure PoS coins.

Looks like I called it on the first page. Thanks rat4 for exposing the flaw and not leaving anybody with a bag of unconfirmed mints. Good guy dev makes competing coin more secure.

+1. And sorry for being rude and assumptious with my initial post of this thread, it was uncalled for.

Hmm I know what I'm trying out tomorrow morning

 ::)

Were not there other ways to fix this issue?

For example, if the problem is PoW difficulty gets too low, why not set a minimum difficulty for PoW mining?

Or, do not allow two PoW blocks in a row.  Enforce that a least one PoS block is between each PoW block?

I think those fixes might be better than to just eliminating PoW altogether.  Just trying to understand this better.

If you set a lower bound to the difficulty that is much larger than the actual difficulty level then it is absolutely not profitable for any miner to generate PoW blocks anymore which basically leads to the same problem.

What about this idea? Can it be implemented? And is it worth doing?

Most of the premined pos coins are not profitable to mine pow anyway.. 1 coin per block at 20 sats.

I figure the devs were either lazy or dont understand the code enough to fully remove pow thus they just set the reward to the minimum so its quick and dirty. In reality if the pow is not helping with block authentication it
should be removed... surely devs knew if a hybrid approach was beneficial or not to the security against attacks that are common sense with both pow and pos?

Wouldn't this be the same as raising the PoW difficulty to the level that only one PoW would be generated in the time one PoS block gets generated? I don't really see the difference.

it wouldn't require that minors participate for a low block reward, yet you receive the same result

I'm a MINT investor and want to thank you guys for exposing the issue. and no destroying the coin


 i never bash people and dont know why MINT people did.


thanks again.

I am trying to qualify the claim made by the OP, that MintCoin had no PoS block in a hour.

What is the proof that this was because of the "attack", or there was just nothing to stake during that hour?

Also, how would an PoS block in a hybrid coin "invalidate many PoW blocks"? The PoW and PoS chains are pretty much independent, no?

Hi

Is a classic standart non-POS sCrypt (end of POW) easily attackable ?

Just read through this thread. Lots of good info. Any updates to these security flaws?